<html>
<head><meta charset="utf-8"><title>is this exploitable? · wg-secure-code · Zulip Chat Archive</title></head>
<h2>Stream: <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/index.html">wg-secure-code</a></h2>
<h3>Topic: <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/is.20this.20exploitable.3F.html">is this exploitable?</a></h3>

<hr>

<base href="https://rust-lang.zulipchat.com">

<head><link href="https://rust-lang.github.io/zulip_archive/style.css" rel="stylesheet"></head>

<a name="136428234"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/is%20this%20exploitable%3F/near/136428234" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/is.20this.20exploitable.3F.html#136428234">(Oct 24 2018 at 18:40)</a>:</h4>
<p>I've found an open bug in Rust stdlib dating back to 2017, marked "unsound": <a href="https://github.com/rust-lang/rust/issues/46775" target="_blank" title="https://github.com/rust-lang/rust/issues/46775">https://github.com/rust-lang/rust/issues/46775</a> <br>
This smells like a potential use-after-free to me, but I'm not sufficiently competent to verify that. I'd appreciate if someone more familiar with C and POSIX could take a look.</p>



<a name="136437117"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/is%20this%20exploitable%3F/near/136437117" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/is.20this.20exploitable.3F.html#136437117">(Oct 24 2018 at 21:23)</a>:</h4>
<p>There's definitely a UAF, and it doesn't even take a race condition. I just left a comment laying it out (hopefully I didn't screw something up!).</p>



<a name="136437379"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/is%20this%20exploitable%3F/near/136437379" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/is.20this.20exploitable.3F.html#136437379">(Oct 24 2018 at 21:29)</a>:</h4>
<p>Is there an easy way to get an ASAN stdlib?</p>



<a name="136437495"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/is%20this%20exploitable%3F/near/136437495" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/is.20this.20exploitable.3F.html#136437495">(Oct 24 2018 at 21:31)</a>:</h4>
<p>Eh, nevermind, didn't even need that.</p>



<a name="136437912"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/is%20this%20exploitable%3F/near/136437912" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/is.20this.20exploitable.3F.html#136437912">(Oct 24 2018 at 21:37)</a>:</h4>
<p>So, uh, what's the process for vulnerabilities in the stdlib? Should I stop posting stuff publicly?</p>



<a name="136438017"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/is%20this%20exploitable%3F/near/136438017" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Joshua Liebow-Feeser <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/is.20this.20exploitable.3F.html#136438017">(Oct 24 2018 at 21:39)</a>:</h4>
<p>I'd err on the side of caution and follow the policy until they tell you it's fine to keep working in the open: <a href="https://www.rust-lang.org/en-US/security.html" target="_blank" title="https://www.rust-lang.org/en-US/security.html">https://www.rust-lang.org/en-US/security.html</a></p>



<a name="136438128"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/is%20this%20exploitable%3F/near/136438128" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/is.20this.20exploitable.3F.html#136438128">(Oct 24 2018 at 21:41)</a>:</h4>
<p>Weird that this bug report sat on the tracker for 10 months with no comment.</p>



<a name="136458970"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/is%20this%20exploitable%3F/near/136458970" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/is.20this.20exploitable.3F.html#136458970">(Oct 25 2018 at 06:34)</a>:</h4>
<p>it was on my list to try and exploit, never got around to that though^^</p>



<a name="136458978"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/is%20this%20exploitable%3F/near/136458978" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/is.20this.20exploitable.3F.html#136458978">(Oct 25 2018 at 06:35)</a>:</h4>
<p>and there is a related one, even older: <a href="https://github.com/rust-lang/rust/issues/39575" target="_blank" title="https://github.com/rust-lang/rust/issues/39575">https://github.com/rust-lang/rust/issues/39575</a></p>



<a name="136473618"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/is%20this%20exploitable%3F/near/136473618" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/is.20this.20exploitable.3F.html#136473618">(Oct 25 2018 at 12:24)</a>:</h4>
<p>As to "is it exploitable": you'd have to write a bunch of code that I think that would never exist in the real world, but with some heap grooming I'm sure you could turn this UAF into an arbitrary read/write and go from there.</p>



<a name="136475061"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/is%20this%20exploitable%3F/near/136475061" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/is.20this.20exploitable.3F.html#136475061">(Oct 25 2018 at 12:56)</a>:</h4>
<p>by "exploit" I just meant "trigger UB", which you did. as far as I am concerned that's enough to make this critical, I don't care about going the extra mile of actually taking over a real program.</p>



<a name="136475162"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/is%20this%20exploitable%3F/near/136475162" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/is.20this.20exploitable.3F.html#136475162">(Oct 25 2018 at 12:59)</a>:</h4>
<p>FWIW, if this were a Firefox vulnerability (I'm on the Firefox security team and help with vulnerability triage), I'd probably mark it sec-moderate .</p>



<a name="136502585"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/is%20this%20exploitable%3F/near/136502585" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/is.20this.20exploitable.3F.html#136502585">(Oct 25 2018 at 19:51)</a>:</h4>
<p>PR is up: <a href="https://github.com/rust-lang/rust/pull/55359" target="_blank" title="https://github.com/rust-lang/rust/pull/55359">https://github.com/rust-lang/rust/pull/55359</a></p>



<hr><p>Last updated: Aug 07 2021 at 22:04 UTC</p>
</html>